Hello, I am trying to get a custom API endpoint to work, but I am getting CSRF errors when posting any data to it:
401 (Splunk cannot authenticate the request. CSRF validation failed.)
My endpoint looks like this (my_app/bin/test.py):
#!/usr/bin/python
import os
import csv
import splunk
class Echo(splunk.rest.BaseRestHandler):
def handle_GET(self):
self.response.setStatus(200)
self.response.write('session: ' + self.sessionKey + '\n')
for key, value in self.request["headers"].iteritems():
self.response.write(key + ': ' + value + '\n')
handle_POST = handle_GET
Splunk restmap.conf (my_app/default/restmap.conf):
[script:echo]
match=/echo
handler=test.Echo
Splunk web.conf (my_app/default/web.conf):
[expose:echo]
pattern=echo
methods=GET,POST
I've tried communicating with the API two different ways:
Over port 8000 (POST not working)
Over port 8089 (POST and GET working)
My log (/opt/splunk/var/log/splunk/splunkd.log) keeps saying this: ERROR UiAuth - Request from xxx.xxx.xxx.xxx to "/en-US/splunkd/__raw/services/echo" failed CSRF validation -- expected "5038769918656995927", but instead cookie had "5038769918656995927" and form parameter had ""
What I've tried:
Adding skipCSRFProtection=1 to the endpoints config in web.conf (documented feature) but it seems to have zero effect.
Cleared my cookies for the domain, as detailed in this splunk answers question: answers.splunk.com/answers/581168/splunk-cannot-authenticate-the-request-csrf-valida.html
Tried manually adding X-Splunk-Form-Key as a header, as suggested by this splunk answers question: answers.splunk.com/answers/661095/post-to-splunkd-raw-endpoint-returns-csrf-validati.html
It feels like the session cookies are not being transmitted properly, but that doesn't seem correct, given the headers received in the GET request example attached.
What I need:
I need to be able to communicate with the web API (authenticated) on port 8000 for GET and POST requests. I am trying to make requests in my custom dashboard:
const service = mvc.createService({
owner: 'username here'
});
service.post(
'/services/echo',
JSON.stringify({ my: data }),
function(err, response) {
// what ever
}
);
Other Info:
I'm running splunk in docker, using the 7.1.2 tag.
... View more